Hi To proceed with unlang, how can I ensure that the Access-Request contains specific IE. For example:
- <IMEI Field> : 1234567890123 - <Hardware Id> : AC12BD54FS56TRZS506 - etc.. Also, Is there any limitation to number of parameters and size, that can be contained in any Access-Request? I wish to compare these field values to my database and if not present in Request, directly process Reject. Br, Navodit On Thu, Jul 18, 2013 at 10:04 PM, Matt Zagrabelny <mzagr...@d.umn.edu>wrote: > On Thu, Jul 18, 2013 at 10:46 AM, Alan DeKok <al...@deployingradius.com> > wrote: > > Navodit Bhardwaj wrote: > >> For each Access-Request recieved and authenticated successfully I want > >> to do following: > >> > >> 1. Verify if Access-Request contains a parameter i.e IMEI of mobile > >> 2. If Not, send Access-Reject. Else, > >> 3. compare IMEI to value in database and assign a 32bit hex number in > >> Access-Accept > > > > You should be able to just write this in unlang. Write down which > > attributes you have, and what values you're looking for. Then, write > > the logic. > > Navodit, > > I just asked a similar question and this is the logic I added to my > default site, right after 'preprocess': > > if (CVPN3000-Tunnel-Group-Name == 'Bookstore') { > if (SQL-Group == 'RADIUS:bookstore') { > noop > } > else { > reject > } > } > > What the above logic "says" is: > > If the user is requesting to be in the Bookstore VPN group then if > they are part of the RADIUS:bookstore group, continue (noop), else > reject them. > > You'll need to change 'CVPN3000-Tunnel-Group-Name' and 'Bookstore', > and remove the second 'if' statement. > > >> Basically, I am doing a second authentication after initial > >> authentication (PAP, CHAP) is successful. > > > > Don't do that. Do it *before* PAP or CHAP. In the "authorize" > section. > > Alan, > > I've got a similar question that dovetails into this discussion. > Suppose I wanted to reject certain users and wanted the Reply-Message > to be customized per user authenticating, but I want to ensure that I > am not leaking the customized message. Is there a way to test the > user/pw combo first and *then* perform unlang logic? > > Thanks, > > -mz > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- br, Navodit Bhardwaj Hughes Systique Corporation
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html